Key distribution in a multiple access network using quantum cryptography

ABSTRACT

In a method of quantum cryptography, a transmitter (T) communicates on a quantum channel with several receivers (R1-R3). The receivers are located on different branches of a common communications network The method establishes a different respective secret key for each receiver. A timing pulse may be transmitted from the transmitter to the receivers to synchronise the receivers prior to a transmission on a quantum channel. The quantum channel may be multiplexed and transmitted concurrently with classical multi-photon transmissions on the network.

RELATED APPLICATIONS

This application is related to the following copending commonly assignedapplications:

    ______________________________________                                        08/464,710 filed August 15, 1995 entitled "SYSTEM AND                                    METHOD FOR KEY DISTRIBUTION USING                                             QUANTUM CRYPTOGRAPHY" naming                                                  Townsend as inventor (now U.S. Pat. No.                                       5,675,648);                                                        08/612,881 filed April 22, 1996 entitled "METHOD FOR                                     KEY DISTRIBUTION USING QUANTUM                                                CRYPTOGRAPHY" naming Messrs. Phoenix                                          and Barnett as inventors;                                          08/612,880 filed March 8, 1996 entitled "SYSTEM AND                                      METHOD FOR KEY DISTRIBUTION USING                                             QUANTUM CRYPTOGRAPHY" naming                                                  Messrs. Townsend and Blow as inventors;                            08/617,848 filed March 8, 1996 entitled "SYSTEM AND                                      METHOD FOR QUANTUM CRYPTOGRAPHY"                                              naming Mr. Blow as inventor; and                                   08/776,296 filed January 30, 1997 entitled "QUANTUM                                      CRYPTOGRAPHY" naming Townsend as                                              inventor.                                                          ______________________________________                                    

BACKGROUND TO THE INVENTION

The present invention relates to a system for the communication ofencrypted data. In particular, it relates to the technique known asquantum cryptography.

In quantum cryptography, data is encoded at the transmitter and decodedat the receiver using some specified algorithm which is assumed to befreely available to all users of the system, whether authorised orotherwise. The security of the system depends upon the key to thealgorithm being available only to the authorised users. To this end, thekey is distributed over a secure quantum channel, that is a channelcarried by single-photon signals and exhibiting non-classical behaviour,as further discussed below. The transmitter and the receiver thencommunicate over a separate channel, known as the public channel, tocompare the transmitted and the received data. The presence of anyeavesdropper intercepting the transmitted key results in a change in thestatistics of the received data, which can be detected. Accordingly, inthe absence of any such change in the statistics of the data, the key isknown to be secure. The secret key thus established is used in theencryption and decryption of subsequent communications between thetransmitter and receiver. For added security, the existing key mayperiodically be replaced by a newly generated key.

In general, a communication method using quantum cryptography includesthe steps of:

(a) randomly selecting one of a plurality of encryption alphabetscorresponding to different, non-commuting quantum mechanical operatorsand encoding a signal for transmission on the quantum channel using theselected operator;

(b) randomly selecting one of the different quantum mechanical operatorsand using that operator in detecting the signal transmitted in step (a);

(c) repeating steps (a) and (b) for each of a multiplicity of subsequentsignals;

(d) communicating between the transmitter and the receiver independentlyof the encryption alphabets to determine for which of the transmittedsignals common operators were selected by the transmitter and receiver,

(e) comparing the signals transmitted and received in steps (a) and (b)to detect any discrepancy resulting from the presence of aneavesdropper; and,

(f) in the event that in step (e) no eavesdropper is detected, using atleast some of the data transmitted in steps (a) and (b) as a key forencryption/decryption of subsequent data transmissions between the twousers of the channel. This scheme is described in detail in C. H.Bennett, G. Brassard, S. Breidbart and S. Wiesner, in "Advances incryptology: Proceedings of Crypto'82, (Plenum, N.Y., 1983); C. H.Bennett and G. Brassard, IBM Technical Disclosure Bulletin, 28 3153,(1985).

In the term "encryption alphabet" as used herein, "encryption" refers tothe coding of the single-photon pulses during the key distribution phaserather than to the subsequent encryption of text for transmission once akey has been established.

SUMMARY OF THE INVENTION

According to the present invention, a method of communication usingquantum cryptography is characterised in that a transmitter communicateson a quantum channel over a common communications network with aplurality of receivers located on the common communications network andestablishes a different respective secret key for each receiver.

Hitherto, quantum cryptography has only been used for communicationbetween a single transmitter and receiver pair operating over adedicated communication link. Typically the link has been provided by anoptical fibre. The present invention by contrast uses quantumcryptography on a multiple access network. While the use of multipleaccess networks is of course well known for general communicationspurposes, such architectures are on the face of it unsuitable forquantum cryptography, since their functioning depends upon the classicalbehaviour of the signal at each branch or junction on the network. Thisbehaviour breaks down in the case of the single-photon signals used forquantum cryptography. Such signals cannot be treated as being split ateach branch, but instead must travel down one path or another, or belost from the system, with a certain probability. The present inventorhas realised however that the non-classical behaviour of a single-photonsignal on such a network can be used to advantage to allow a differentkey to be established between the transmitter and each individualreceiver. This makes possible subsequent secure bi-directionalcommunication of encrypted data between the transmitter and eachreceiver using classical, i.e. multi-photon, signals. These encryptedtransmissions are preferably made on the same common communicationsnetwork used to carry the quantum channel. Alternatively, differentcommunication systems might be used for the classical and quantumchannels. In particular, the public discussion phase, that is steps (d)and (e) of the protocol, might for example use radio transmissions forcommunication between the transmitter and receiver. In the standardpoint-to-point application of quantum cryptography some of the secretbits that are generated are used to authenticate the messages passedover the public channel. This confirms that the legitimate users of thechannel are in direct communication without the intervention of aneavesdropper references mentioned above!. In this multi-user version ofquantum cryptography, secret bits are generated at all terminals thusenabling authentication to be performed for all network users ifrequired.

In the method adopted in the present invention, in steps (a) to (c) ofthe transmission protocol, each encoded bit transmitted is either lostfrom the system or received at one only of the plurality of receivers.The transmitter outputs a sufficient number of bits, each bit beingcarried by one single-photon signal, for each receiver to establish an rbit key, where r is a predetermined integer. The number of transmittedbits required is determined by the coupling ratios at each branch, theattenuation in the network, and the error rates in the raw key data, asdescribed in further detail below. Each receiver receives a differentsequence of bits, randomly determined by the paths taken by theindividual single- photon pulses. Therefore, after the completion of thepublic discussion phase and testing to ensure there has been noeavesdropping, in accordance with steps (e) and (f) of the quantumcryptography protocol, the transmitter has established a distinctsequence of r secret bits with each terminal R_(i) on the network. Thesesecret bits can be used both for authentication and the generation of arespective shared key K_(i), as described for the standardpoint-to-point application in C. H. Bennett, F. Bessette, G. Brassard,L. Salvail and J. Smolin: J. Crypt., 5, 3 (1992) and Bennett/BrassardIBM Tech. Discl. (already referenced on page 2 line 18). If required,the controller/transmitter can then use the individual K_(i) as keys inone-time pad encryptions of a master network key or keys. The latter canthen be securely distributed to all receivers/terminals, or subsets ofterminals, on the network. Consequently, two types of encryptedcommunication are enabled. In one-to-one communications the controllerand R_(i) use K_(i) to encrypt the multi-photon data signals that arebroadcast in either direction on the network. Hence, although thesesignals are broadcast on the network and are therefore accessible to allreceivers, only R_(i) and the controller can decode these particulardata transmissions. In this scenario secure inter-terminalcommunications can still take place between e.g. R_(i) and R_(j),however the controller must act as an interpreter using its knowledge ofK_(i) and K_(j) to decode and encode the incoming and outgoing signals.Any-to-any communications can also take place among subsets of terminalssharing a master key, and in this case, if a transmission path goes viathe controller, the controller only needs to perform routing orre-transmission of the incoming encoded data.

The current invention may be used in a range of multiple access networkarchitectures such as, for example, tree, bus, ring or star configuredPassive Optical Networks (PONS), or combinations thereof. There are awide range of applications for such network architectures, includinge.g. optically-distributed computer LANs, local-accesstelecommunications networks, and cable-television distribution networks.The invention can be used to increase the security of such systems inseveral different ways. For example, in the scenario of a local-accesstelecommunications network, the network may link several independentcustomers to a single transmitter or exchange. In this case thetransmitter authenticates and establishes individual keys with some orall of the network users in order to enable secure one-to-onecommunications. This prevents potentially hostile or competitive usersof the network from gaining access to each others data transmissions.Alternatively, the network may be used to link the dispersed sites of asingle customer to a central exchange or controller. In this case, thecontroller can protect the integrity of the network as a whole byestablishing individual keys with each remote terminal which may then beused to distribute a network master key or keys. Any-to-any securecommunications are then enabled as described above. The latter scenariois also relevant to the case of a secure optically distributed computerLAN. The invention can be used to increase the security of such systemsin several different ways. For example, the network may link severalindependent customers to a single transmitter or exchange. In this case,the transmitter sets up individual keys with some or all of the networkusers thereby preventing potentially hostile or competitive users of thenetwork from gaining access to each others data transmissions.Alternatively, the network may be used to link the dispersed sites of asingle customer to a central transmitter node. In this case thetransmitter node plays the role of a central secure exchange. Byestablishing individually secure links with each remote terminal thetransmitter can protect the integrity of the network as a whole as wellas enabling secure communication between different terminals.

Preferably the key distribution process is initiated by thesynchronisation of the system to a master clock in the transmitter. Thisprocess provides timing information which is subsequently used fordecoding the quantum key data. Synchronisation may preferably be carriedout using multi-photon timing pulses which are broadcast on the opticalfibre network. The terminals then detect these pulses and thereby locktheir local clocks to the central master clock. The central node thensends a time-referenced sequence of signals of suitable quantum statesonto the network. These may take the form, for example, ofsingle-photons obtained from a parametric amplifier source or,alternatively, weak pulses of light from an attenuated laser which ingeneral contain no more than one and on average substantially less thanone photon per pulse. Appropriate sources are discussed in theapplicant's co-pending International applications PCT/GB 93/02637 (WO94/15422) and PCT/GB 93/02075 (WO 94/08409), the subject matter of bothapplications being incorporated herein by reference. Both types of pulseexhibit the required quantum properties and the term "single-photonpulse" is used herein to denote all such pulses, irrespective of howthey are produced. The pulses are encoded in different phase orpolarisation states.

DESCRIPTION OF THE DRAWINGS

Embodiments of a system in accordance with the present invention willnow be described in further detail by way of example only, withreference to the accompanying drawings, in which:

FIG. 1 is a diagram showing schematically a network embodying theinvention;

FIGS. 2a and 2b are diagrams showing the allocation of wavelengths tothe quantum and classical channels of a system embodying the presentinvention;

FIG. 3 is a detailed block diagram of a second embodiment of theinvention;

FIGS. 4a and 4b show details of polarisation modulators used in atransmitter and receiver respectively;

FIGS. 5a and 5b are a transmitter and receiver respectively for use inan alternative embodiment;

FIG. 6 is a schematic of a further alternative embodiment;

FIG. 7 is a graph showing phase modulator states for a transmitter(upper plot) and receiver (lower plot);

FIG. 8 is an alternative polarisation modulator; and

FIG. 9 is a flow diagram.

DESCRIPTION OF EXAMPLES

A communication system embodying the present invention in a firstexample comprises a transmitter T and three receivers R1-R3. Thetransmitter T and receivers R1-R3 are linked by a passive opticalnetwork (PON) having a tree topology. At each junction in the network50/50 couplers C1,C2 are provided.

In use, prior to the distribution of a key from the transmitter to thereceivers, the system is synchronised to a clock in the transmitter. Inorder correctly to time the ensuing quantum transmissions, the differentreceivers must know when to begin making their single-photonmeasurements, i.e. they must know when the first time-slot defined bythe transmitter is due to arrive. This will depend on the distance ofthe receiver from the transmitter. However, if initial synchronisationdata is sent over the same network, the receivers can take account ofthe different time delays by initiating their quantum measurements at afixed time τ after the final clock pulse arrives. This is matched by thetransmitter, which initiates the quantum transmission also at time τafter the final clock pulse has been sent. This procedure is akin to theranging techniques traditionally used in PONS to prevent time-slotcollision on the return path from the terminals to the central node. Inpractice, therefore, elements of the timing system for the quantum keydistribution channel may be combined with the ranging system used tocontrol standard data transmission in the network.

In general, the paths from the central node to the various terminals inthe network will have different channel transmission coefficients, andhence the received single-photon bit-rates will also differ fromterminal to terminal. Since real single-photon counting detectors sufferfrom saturation at high count rates, there will be an upper limit on theallowable bit rate in the network. In addition, a lower limit on the bitrate is set by the requirement that the photo-count rate must be largecompared with any background count rate due to noise mechanisms such asdetector dark current. In order to avoid problems with detectorsaturation, it may be preferable to equalise all the detector countrates to that of the terminal with the lowest transmission coefficient.This can be achieved by means of optical attenuation or by controllingthe sensitivity of the detectors, e.g., by varying the reverse biasvoltage in an avalanche photodiode detector (APD). An appropriate APD isdiscussed below.

FIG. 1 illustrates a case where equalisation is not employed. Here,assuming that the fibre loss is negligible, the transmissioncoefficients are t₁ =0.5 for the T-R1 path, and t₂ =t₃ =0.25 for theT-R2 and T-R3 paths respectively. This means that R1 will receive twiceas many photons as either R2 or R3, and the count rates are chosen tolie within the detector performance limits discussed above. In order toestablish three r-bit keys, the transmitter must send (p)⁻¹ ×(4r)photons, where p is a protocol- and error-dependent constant thatrepresents the probability that a received raw key bit generates a finalkey bit. In the general case, the distribution of n r-bit keys requires(p)⁻¹ ×(r/t_(j)) photons, where t_(j) is the smallest transmissioncoefficient in the network. In addition, system inefficiencies such asdetector noise will lead to errors in the transmitted key data whichmust be identified and eliminated as outlined in C. H. Bennett, F.Bessette, G. Brassard and L. Salvail, J. Cryptology 5, 3 (1992). Thisprocess leads to a compression of the raw key data which must be takeninto account if a final key of length r-bits is required. At the end ofthe public discussion stage of the protocol (d)-(f), which includes theauthentication procedure, all terminals must be in possession of m≧rsecret bits. They then agree with the transmitter to use e.g. the firstr-bits of their individual sequences to form the individual keys.

The quantum key distribution channel is arranged to operateindependently of other transmission channels which use the network tocarry either the encrypted data or standard (non-encrypted) signals.This is important since the quantum channel operates in a non-continuousburst transmission mode, whereas in general the data channels will berequired to provide uninterrupted continuous transmission. The requiredseparation of the quantum channel may be provided through use of areserved wavelength, different from that used by the data channels. Inthis case the quantum channel could be isolated by means ofwavelength-sensitive passive optical components such as WDM couplers(e.g. Scifam Fibre Optics P2SWM13/15B) and filters (e.g. JDS TB1300A).FIGS. 2a and 2b illustrate two possible variations of this scheme. Inthe first case, shown in FIG. 2a, the quantum channel lies within the1300 nm telecommunication window along with several other channelsreserved for conventional signal traffic. In the second situation, shownin FIG. 2b, the 850 nm window is reserved for the quantum channel. Thishas the advantage that single-photon detectors for this wavelength(Silicon APDs) are relatively insensitive to 1300 nm light and thereforeisolation from the data channels is easier to achieve. This approachwould require WDM couplers such as the JDS WD813 to combine and separatethe quantum and conventional channels. Alternatively the 1500 nm bandmight be used for conventional signal traffic while the 1300 nm band isreserved for the quantum channel. Since, the sensitivity of germaniumAPDs is high at 1300 nm and falls rapidly for wavelengths longer thanabout 1400 nm, these detectors would be an attractive choice for thisparticular wavelength division scheme. The wavelength separationtechnique would also allow active components such as optical amplifiers(e.g. erbium or praseodymium rare-earth-doped fibre amplifiers) to beused at the data channel wavelengths, whilst operating the quantumchannel at a wavelength outside the spontaneous emission spectrum of theamplifier. If this were not the case, the spontaneously generatedphotons from the amplifier would easily saturate the detectors on thequantum channel.

Alternatively, it is possible to operate the quantum and data channelsat the same wavelength, and achieve isolation by means of polarisation-or time-division multiplexing. The former case uses phase-encoding forthe quantum channel, as described, e.g., in our co-pending Britishapplication no. 9226995.0. The data channel operates on the orthogonalpolarisation mode of the fibre, with isolation obtained by means ofpolarisation splitting couplers such as the JDS PB 100. In thetime-division scheme, certain time slots are reserved for multi-photondata pulses which are detected by standard receivers linked to thenetwork via standard fibre couplers. Saturation of the single-photondetectors during these time slots could be prevented either by means ofswitchable attenuators (intensity modulators) or by turning off thereverse bias to the devices. Any of these isolation techniques may alsobe employed to send the system timing information concurrently with thequantum key data. This approach may be useful if, for example, thetiming jitter on the receiver local oscillators is too large to maintainsystem synchronisation over the timescale required for the quantumtransmission. A further alternative technique provides the timing dataconcurrently with the quantum transmission using the same wavelength asthe quantum channel. The receiver now contains, in addition, a standarddetector such as a sensitive PIN-FET that is connected to thetransmission fibre by a weak fibre tap that splits off e.g. ˜10% of theincoming pulse intensity. The intensity of every n-th pulse is madesufficiently large, say 10⁵ photons, that the standard detectorregisters a pulse which can be used for timing purposes. If n issufficiently large, e.g. 1000, the APDs will not suffer from heatingeffects or saturation, and a ×1000 frequency multiplier can be used inthe receiver to generate a local oscillator at the clock frequency.

Although APD's are the preferred form of detector, the present inventionis not limited to the use of APD's. Other detectors having appropriatesensitivity and discrimination at the single-photon level may be used.For example, the detector may use a photomultiplier tube.

FIG. 3 shows a specific example of a broadcast network containing tworeceivers and a transmitter. The transmitter consists of a gain-switchedsemiconductor laser 9, which may be a DFB or Fabry-Perot device, anattenuator or intensity modulator 7, and a polarisation modulator 8 andcontrol electronics 10. The single-photon detectors in the receivers maybe avalanche photodiodes (APDs) biased beyond breakdown and operating inthe Geiger mode with passive quenching, as discussed in P. D. Townsend,J. G. Rarity and P. R. Tapster, Electronics Letters, 29, 634 (1993).Silicon APDs such as the SPCM-100-PQ (GE Canada Electro Optics) can beused in the 400-1060 nm wavelength range, while Germanium or InGaAsdevices such as the NDL5102P or NDL5500P (NEC) can be used in 1000-1550nm range. Each receiver includes a microprocessor control unit 2, whichreceives the output of the APD via a discriminator/amplifier circuit 3.The control unit 2 also controls an electronic filter 4 and localoscillator 5, as well as the APD bias supply 6. The electronic filter 4isolates the first harmonic of the frequency spectrum of the signaloutput by the APD in response to synchronising pulses received via thenetwork. This generates a sinusoidal signal at the pulse frequency whichlocks the local oscillator 5. The output of the local oscillator 5 isreceived at the control unit 2 to provide a timing reference duringquantum transmissions.

The use of multi-photon signals on the transmission medium to calibratethe system prior to or during quantum transmission is described infurther detail in our above-cited co-pending British patent application.This makes it possible to compensate, e.g., for changes in fibrepolarisation resulting from environmental effects.

An alternative embodiment encodes and decodes different phase statesrather than different polarisation states P. D. Townsend, J. G. rarityand P. R. Tapster, Elect. Lett., 29, 1291 (1993) and P. D. Townsend,Elect. Lett. 30, 809 (1994). In this embodiment, the transmitter of FIG.5a is substituted for the transmitter shown in FIG. 3, and similarlyeach of the receivers is replaced by a receiver configured as shown inFIG. 5b. In the transmitter of this embodiment, a first pulsedsemiconductor laser 51, operating at a first wavelength λ_(q), where,e.g., λ_(q) =1300 nm provides the optical source for the quantumchannel. The laser and a modulator driver 53 for a phase modulator 54are controlled by a microprocessor 55.

The phase modulator 54 is located in one branch of the transmitter. Apolarisation controller PC (e.g. BT&D/HP MCP1000) is located in theother branch of the transmitter.

A second semiconductor laser 52 provides a bright multi-photon source ata wavelength λ_(S) where, e.g., λ_(S) =1560 nm. This signal is used fortiming and calibration as described above. The signal at λ_(S) iscoupled to the output of the transmitter via a WDM coupler 56 which maybe, e.g. a JDS WD1315 series device.

As an alternative to the use of separate sources for the quantum channeland the timing signal, a single semiconductor laser may be used feedingits output via a fused fibre coupler FC to two different branches, oneincluding an attenuator, and the other branch being unattenuated. Anoptical switch may then be used to select either the bright orattenuated output. Depending upon the frequency requirement, either aslow electro-mechanical device such as the JDS Fitel SW12 or a fastelectro-optic device such as the United Technologies Photonics YBBMcould be used.

In the receiver of this embodiment, a respective control microprocessor57 controls the receiver phase modulator 58 via a modulator driver 59.The receiver control processor also controls a detector bias supply 60for the receiver single-photon detector 61. In both the transmitter andthe receiver, where the signal path branches, fused-fibre 50/50 couplersare used. Suitable couplers are available commercially from SIFAM asmodel P22S13AA50. The timing signal at λ_(S) is detected by a PIN-FETreceiver 64.

Appropriate phase modulators 54, 58 for the data encoding and decodingare lithium niobate or semiconductor phase modulators operating at,e.g., 1-10 MHZ. An appropriate lithium niobate device is availablecommercially as IOC PM1300. An appropriate driver for the phasemodulators is a Tektronix AWG2020, and this can also be used as a clockgenerator for the system. For the single-photon detectors, APDs asdiscussed above with reference to FIG. 3 may be used. Significantimprovements could be obtained by combining the phase modulators andfibre devices shown in FIGS. 5a and 5b into single integratedstructures. Variations on the current design or that discussed in P. D.Townsend, J. G. rarity and P. R. Tapster, Elect. Lett. 29, 634 (1993)could be integrated onto a lithium niobate chip with the fibre pathsreplaced by waveguides and the modulator region defined by electrodes asin a standard device. Alternative fabrication methods include e.g.photo-refractively-defined planar silica waveguide structures orsemiconductor waveguide structures. In general, integration should leadto improved stability and compactness for the transmitter and receiverstructures. In particular, this embodiment uses an NEC 5103 Ge APDcooled to 77K using, e.g., Hughes 7060H cryo-cooler or a liquid nitrogendewar or cryostat. In the receiver in this embodiment, just a single APDis used with the signals corresponding to the different branches of thereceiver being separated in time by virtue of a delay loop in the upperbranch labelled "1". The key distribution protocol requires eachreceived photon to be associated with a given clock period and alsoidentified as a 0 or 1 depending upon which branch of the receiver itcomes from. These functions are performed by a time interval analyser 62(e.g. Hewlett-Packard 53110A). The start signals for this device areprovided by the APD output after processing by a circuit 63 comprisingan amplifier and discriminator which may be respectively, e.g. Lecroy821 and Lecroy 621.

The timing signal referred to above may take the form of either a singletrigger pulse, which is then used to initiate a burst of key data on thequantum channel, or as a continuous stream of pulses at the system clockfrequency which are used to re-time the receiver clock between keytransmissions. Before key transmission commences, the receiver variesthe phase modulator DC bias level in order to zero the phase shift inthe interferometer (i.e. photon transmission probability is maximised atone output port and minimised at the other). FIGS. 5a and 5b also showthe relative spatial, temporal and polarisation changes experienced bythe two components of a quantum channel pulse as they propagate throughthe transmitter and receiver. If all fibres in the system arepolarisation-preserving then no active polarisation control or staticpolarisation controllers are required in the system. However if standardfibre is used for the transmission link then active polarisation controlwill be required at the input to the receiver. This can be performedusing a standard detector, feed back circuit and automated polarisationcontrol as described in our co-pending International applicationPCT/GB93/02637 (WO94/15422).

As described in our co-pending International application also filed thisday (Agent's ref. 80/4570/03), the receivers, rather than destructivelydetecting signals on the quantum channel using respective single-photondetectors, may modulate single-photon signals received from a head-endor "controller" station before passing these back to the controllerwhere they are detected in an appropriate single-photon detector. Inthis case the transmitter and receiver structures discussed above areboth incorporated in the controller, and the network receiver stationsR1, R2 . . . each contain a phase modulator, e.g. IOC PM1300. Eachreceiver uses a data generator, e.g. Tektronix AWG2020 to generate awaveform that produces a relative phase shift between the twoorthogonally polarised pulses in each bit period. Alternatively, thesystem may be adapted to use polarisation modulators rather than phasemodulators.

In use, in configurations where timing information is not transmittedconcurrently with the quantum transmission, key distribution isinitiated by the transmitter sending a stream of timing pulses into thenetwork. The attenuator in the transmitter is not engaged at this point,so the pulses contain many photons and are received by both terminals.The receivers set the reverse bias on their detectors to be well-belowbreakdown so that the internal gain is low. In this mode the APDs candetect the multi-photon timing pulses without suffering from saturation.Each APD output signal will contain a frequency component at thefundamental repetition rate of the pulsed source, and this is used tolock the local oscillator in the receiver as described above.

After the synchronisation procedure the attenuator in the transmitter isengaged so that the output pulses contain on the order of 0.1 photons onaverage. In addition, the APDs in the receivers are biased beyondbreakdown so that internal gain is high enough to achieve detectionsensitivity at the single-photon level. Steps (a) to (c) of the quantumkey distribution protocol are then carried out. In the currentlydescribed example, using polarisation encoding, the system uses atwo-alphabet encoding scheme in which polarisation states are used toestablish the sequences of key bits (i.e. 0°=0, 90°=1 and 45°=0,1350°=1).

FIG. 4 shows details of polarisation modulators used in thepolarisation-encoding embodiments encoding embodiments when high speed(e.g. ≧1 MHZ) operation is required. The transmitter modulator is basedon a 4-into-1 optical switch that is switched randomly so that for eachpulse one of the four possible polarisation states is coupled into thenetwork. The optical switch could be based on one or more electro-opticdevices (e.g. United Technology lithium niobate Y-switch "YBBM") and the4×1 coupler could be a fused fibre device (e.g. Sifam Fibre OpticsP4S13C). The polarisation modulators in the receivers are similar indesign. However, here the different polarisation channels contain fibredelays of differing lengths. This allows a single APD to be used at theoutput, with polarisation state identification performed by means of thetime (within the laser period) at which the photo-count occurs. Asimilar detection scheme to this is described in A. Muller, J. Breguetand N. Gisin, Europhysics Letters, 23, 383 (1993).

FIG. 8 shows an alternative and preferred structure for a polarisationmodulator for a polarisation modulator when low frequency operation(e.g. ≦1 MHz) is acceptable. This comprises a stack of liquid crystalcells. In the illustrated example, the stack comprises two chiralsmectic-C cells S1, S2. Each cell comprises a pair of glass substratesg1, g2 with an InTiO electrode E formed on each substrate. A polyamidecoating, rubbed in one direction is formed on each of the electrodes.Spaces SP separate the substrates and define a volume in which theliquid crystal material is confined. A suitable material is thatavailable from Merck as ZLI-431A. The spacing between the glasssubstrates in each cell is typically in the range 1.5 to 2 μm. Thethickness of each cell is chosen so that at the wavelength of the inputbeam the cell functions e.g. as a half-wave or quarter-wave plate. Whena field is applied across each cell using the electrodes, the liquidcrystal molecules in the cell tilt at a characteristic tilt angle θ.Changing the polarity of the applied field flips the molecules throughan angle of 2θ. The cell functions as a bistable device which isswitched by the field between these two stable orientation states andcan not in general have any intermediate orientations.

The properties outlined above enable a stack of switched cells such asthat shown in the Figure to function as a polarisation modulator forselecting predetermined discreet polarisation states. For example, therehas been described above a modulation scheme using four linearpolarisation states of 0°, 90°, 45° and 135°. To implement this scheme,the first cell S1 is arranged to have a switching angle of θ=22.5° andthe second cell S2 is arranged to have θ=11.25°. It is assumed that whenboth cells are in state "0" that their optical axis are parallel.Labelling the two states of the first cell as 0 and π/4, and the twostates of the second cell as 0 and π/8, the different outputs requiredfrom the polarisation modulator are obtained as show in Table 1 below:

                  TABLE 1                                                         ______________________________________                                        Input      cell 1 state                                                                           cell 2 state  Output                                      ______________________________________                                        linear     0        0             linear                                      vertical                          vertical                                    linear     π/4   0             linear                                      vertical                          horizontal                                  linear     0        π/8        linear 135°                          vertical                          to                                                                            horizontal                                                                    (ccw)                                       linear     π/4   π/8        linear 45°                           vertical                          to                                                                            horizontal                                                                    (ccw)                                       ______________________________________                                    

An alternative encoding scheme might use two linear polarisation statesand two circular polarisation states linear vertical, linear horizontal,right circular and left circular. A liquid crystal modulator forimplementing such a scheme again comprises a stack of two cells. In thiscase the first cell S1 is a half-wave cell with θ=22.5° and the secondcell S2 is a quarter-wave cell with θ=22.5°. The following table showsthe different states for this

                  TABLE 2                                                         ______________________________________                                        Input      cell 1 state                                                                           cell 2 state  Output                                      ______________________________________                                        linear     0        0             linear                                      vertical                          vertical                                    linear     0        π/4        right                                       vertical                          circular                                    linear     π/4   π/4        left                                        vertical                          circular                                    linear     π/4   0             linear                                      vertical                          horizontal                                  ______________________________________                                    

A further alternative encoding scheme comprises six states being asuperposition of the states used in the first two schemes. A modulatorto implement this scheme uses a stack of three cells, the first twocells being as described in the immediately preceding example, and beingfollowed by a third cell which is a half-wave cell with θ=11.25°. Thestates for this modulator are shown in the following table:

                  TABLE 3                                                         ______________________________________                                                cell 1     cell 2 cell 3                                              Input   state      state  state    output                                     ______________________________________                                        linear  0          0      0        linear                                     vertical                           vertical                                   linear  π/4     0      0        linear                                     vertical                           horizontal                                 linear  0          0      π/8   linear 135°                         vertical                                                                      linear  π/4     0      π/8   linear 45°                          vertical                                                                      linear  0          π/4 0        left circular                              vertical                                                                      linear  π/4     π/4 0        right                                      vertical                           circular                                   linear  0          π/4 π/8   left circular                              vertical                                                                      linear  π/4     π/4 π/8   right                                      vertical                           circular                                   ______________________________________                                    

In this example, the left circular pair and right circular pair areessentially degenerate. While the absolute phase of the circularpolarisations differ, the fact that the intensity is time averaged overa period many times the oscillation period of the wave means that theabsolute phase is irrelevant. One is therefore left with four linearpolarisation states and a left and right circular polarisation state.Effectively, when cell 2 is on, it does not matter what state cell 3 isin.

A number of other configurations are possible for a stacked liquidcrystal modulator. For example the half-wave cells in the examplesdescribed above could be split into pairs of quarter-wave cells. Theorder of some of the cell combinations could also be changed. Furtherpossible modification is the use of electroclinic devices to providecontinuously tunable wave plates providing further coding flexibility.

The use of liquid crystal modulators as described above is found to behighly advantageous, enabling switching at relatively high rates with,for example, 10 μs pulse spacing and offering the possibility ofcompact, cheap devices.

As already noted, phase modulation may be used as an alternative topolarisation modulation. FIG. 7 is a graph showing, in the upper plot,the encoding sequence of phase shifts of 0°, 90°, 180° or 270° appliedat the transmitter and in the lower plot the two phase states of 0° or90° used at the receiver in detecting the modulated signal. In thisexample, the bit period is 1 μs.

In the steps (a) to (c), a sufficient number of single photon pulsesneed to be transmitted for each receiver to establish the requirednumber of key bits. The topology of optical fibre path from the centralnode to the terminals depends on the network architecture. For example,the path may split via a single l-into-n coupler or some othercombination of l-into-m couplers, where n is the number of terminals onthe network and m<n. The probability that any given photon arrives at aterminal from the central node is given by the transmission coefficientfor that specific path, t=exp-(α1+β), where αis the fibre losscoefficient per unit length, 1 is the path length and βis the netcoupling ratio for the path. The quantum mechanical properties of singlephotons ensure that a given photon will either be detected at one, andonly one, of the terminals or will be lost from the system (α>0), andthat this process occurs in a totally random and unpredictable way.Consequently, each terminal has no way of predicting whether or not aphoton will arrive during a given clock period. Instead, all terminalsmake measurements as described in step (b) at the clock rate, and foreach successful detection of a photon record the alphabet used for themeasurement, the actual result of the measurement and the time-slot inwhich the photon arrived.

After completing the quantum transmission, the central node sequentiallypolls each of the terminals on the network and carries out steps (d) to(f) of the protocol. In this process the individual photons and theirsent and received states are identified by means of the time-slot inwhich they were detected and transmitted. At the end of this process thecentral node is in possession of n secret keys, each one shared with aspecific terminal on the network. However, except with a smallprobability which can be reduced arbitrarily close to zero by privacyamplification (see below) each terminal has no knowledge of any otherkey apart from its own. These keys can now be used to securely encryptdata transmissions between each terminal and the central node.Consequently, any encrypted data that is broadcast from the transmittercan only be read by the terminal for which it is intended. In addition,the terminals can communicate securely with each other via the centralnode which acts as a secure interpreter. The public discussion stages(steps (d) to (f)) described above may be carried out over the samenetwork or over a separate and independent communication channel.

Practical quantum channels, suffer from unavoidable background errorrates due to detector dark counts, and environmentally-inducedfluctuations in the polarisation (or phase) state in the fibre etc. Inthis case the public discussion phase may contain an additional stage oferror correction and so-called "privacy amplification". This bothensures that the transmitter and receiver end up with identical keys andthat any key information leaked to an eavesdropper or another terminalis an arbitrarily small fraction of one bit. This procedure is outlinedbelow and described in further detail in C. H. Bennett, F. Bessette, G.Brassard, L. Salvail and J. Smolin: "Experimental Quantum Cryptography",J. Cryptology, 5, 3 (1992).

The purpose of quantum key distribution is for Alice and Bob (i.e. thetransmitter and receiver) to share an identical secret string of bits.After discarding those bits occurring in time slots where differentbases were chosen we would, in the absence of eavesdropping and in anideal world, expect Alice and Bob to share an identical secret bitstring. For security all errors should be assumed to have come from aneavesdropper. Given this assumption the question becomes one of whethera provably secret key can still be established despite the assumedpresence of Eve. The procedure of error-correction, carried out over anauthenticated public channel, will result in Eve knowing a greaterfraction of the usable bits, as explained below. A procedure called"privacy amplification" can then be used to reduce Eve's informationabout the final key to a negligible amount at the expense of reducingthe number of secret key bits. After this procedure Alice and Bob willpossess a shared sequence of bits which is provably secret to anextremely high confidence level. The different stages of quantum keydistribution are then as follows:

i) Alice and Bob perform raw transmission and discard bits fromdifferent bases.

ii) Public comparison of randomly-selected sample and estimation oferror rate.

iii) Error correction procedure produces error-corrected key.

iv) Estimation of how much information Eve has about the key.

v) Perform privacy amplification to distil a final secret key aboutwhich Eve has negligible information. FIG. 9 is a flow diagram showingthe above stages and the data flow between the controller (Alice) andthe ith user (Bob).

Although the examples described above use optical fibre networks, thepresent invention is generally applicable to any system providing amedium which can be prepared and maintained in appropriate quantumstates to provide a quantum channel. For example electron states orother particles may be used.

Although in the example of FIG. 1 only three receivers are shown, inpractice networks employing greater numbers of receivers will often beused. The number chosen will vary according to the field of use. For alocal installation on a single site, the network might comprise only 10receivers or terminals. By contrast, for a public network several 10'sor even a 100 or more receivers might be connected to the network andwould receive quantum keys distributed from a single server.

In order to obtain an estimate of the maximum possible number ofreceivers allowed on the network, we consider the example of a ringnetwork with a quantum channel operating in the 800 nm wavelength bandwhich uses components discussed above. The network comprises n users andthe splitting ratios of the couplers in the network are chosen so thateach terminal receives a fraction 1/n of the photons in the quantumchannel. The upper limit for the source pulse rate is determined by theresponse time of the detectors (˜3 ns for the SPCM-100-PQ) and thebandwidth of the modulators (˜600 MHz for the United Technology YBBM),in that the detection scheme must be able to distinguish individual, andpossibly consecutive, pulses. Consequently, a pulse rate of 100 MHz ischosen for the laser which is attenuated to a low intensitycorresponding to 0.1 photons per pulse on average after propagationthrough the transmitter modulator. The loss in the modulators is takento be 10 dB, which is a worst case estimate. The average rate at whichphotons enter the network is thus r_(o) ˜10 MHz. If the network issufficiently short (i.e. <1 km) that the loss in the transmission fibreis negligible, then each terminal receives photons at an average rater_(o) /n. The quantum efficiency of the SPCM APD is about 30% and theloss in the modulator is 10 dB so the photon detection rate will be0.03r_(o) /n. In order to achieve a low error rate in the system wechoose 0.03r_(o) /n>1000 (i.e. a factor of 10 higher than the dark countrate for the detector ˜100 Hz). This gives a maximum value of n=300 forthe number of receivers on the network. In practise it is likely than nwould be reduced in order to accommodate more loss in the transmissionfibre and hence an increased network span.

As discussed in the introduction above the present invention may be usedwith a variety of different network topologies, including those in whichthe receivers, rather than detecting the photon destructively, modulateit and pass it on to the transmitter, as described, e.g., in PCT/GB93/02637. A possible attack upon such an implementation requires Eve(the eavesdropper) to intercept the quantum channel on both sides of agiven user Bob. Then by transmitting and detecting a multi-photon signalEve can determine unambiguously the state of Bob's modulator. Again inpractice it is likely to be very difficult for Eve to establishconnections to two or more points in the network. Nonetheless, where itdesired to protect against an attack of the type described this may bedone by providing at least one of the receivers on the network with aphoton detector connected to the network by a relatively weak tap. Thisphoton detector need not be of the sensitivity of the single photondetectors employed conventionally in receivers, nor need every user havesuch a detector. The presence of such a detector in the networkfacilitates the detection of any multi-photon probe used by Eve.

We claim:
 1. A method of communication using quantum cryptography, saidmethod comprising:communicating from a transmitter on a quantum channelover a common communications network with a plurality of receiverslocated on the common communications network; and simultaneouslyestablishing from a single series of transmitted modulated single photonsignals different respective secret keys for a plurality of receivers.2. A method as in claim 1, in which the network is an optical network.3. A method as in claim 1 further comprising an initial step ofbroadcasting a multi-photon pulse from the transmitter to the pluralityof receivers to synchronise the receivers to the transmitter.
 4. Amethod as in claim 2, in which the step of broadcasting a multi-photonpulse forms part of a calibration phase in which the receivers arecalibrated for subsequent reception of single-photon pulses.
 5. A methodof communication using quantum cryptography, said methodcomprising:communicating from a transmitter on a quantum channel over acommon communications network with a plurality of receivers located onthe common communications network; and establishing a differentrespective secret key for each receiver; the quantum channel beingmultiplexed with at least one classical channel carried concurrently onthe network.
 6. A method as in claim 5, in which the quantum channel iscarried on a different wavelength to the at least one classical channel.7. A method as in claim 5, in which a concurrently transmitted classicalchannel includes timing information for re-synchronising the receiversto the transmitter during reception of the transmission on the quantumchannel.
 8. A method as in claim 1 further comprising modifying thesensitivity of at least one of the receivers thereby substantiallyequalising the sensitivity of all the receivers on the network.
 9. Amethod of communication using quantum cryptography, said methodcomprising:communicating from a transmitter on a quantum channel over acommon communications network with a plurality of receivers located onthe common communications network; and establishing a differentrespective secret key for each receiver; every nth pulse, where n is aninteger greater than 1, being transmitted on the quantum channel with ahigher intensity, the higher intensity pulses being discriminated at thereceivers to provide a timing reference.
 10. A communications systemcomprising:a transmitter, a plurality of receivers, and a multipleaccess network linking the transmitter to the receivers, wherein thetransmitter includes means for generating single-photon pulses encodedin different quantum states and means for establishing different quantumcryptographic keys over the multiple access network simultaneously for aplurality of receivers.
 11. A communication system as in claim 10 inwhich each receiver includes a respective single-photon detector.
 12. Acommunication system as in claim 10 in which at least one of thereceivers includes a respective single-photon modulator and thetransmitter includes a detector for single-photon signals modulated andreturned by respective receivers.